Title here
Summary here
Clustering
Overview
ASA clustering allows multiple ASA units to operate as a single logical firewall, providing both increased throughput and high availability. In spanned EtherChannel mode, port-channels span across all cluster members, with upstream and downstream switches seeing a single logical link.
Key concepts:
- All units share a single configuration managed by the control unit (master)
- Data interfaces use spanned EtherChannels — port-channels that span across all cluster members
- A dedicated Cluster Control Link (CCL) handles inter-unit communication, health monitoring, and state sync
- The control unit is elected based on priority (lower value = higher priority)
- Only the control unit needs full interface configuration (nameif, IP) — data units sync automatically
console-replicatemirrors console messages from data units to the control unit
Video Walkthrough
Video coming soon.
Prerequisites
- All ASA units must have identical hardware, modules, and software version.
- All units must be in the same firewall mode (routed or transparent) — or if using multiple context mode with mixed modes, Spanned EtherChannel must be used
- All units must be in the same context mode (single or multiple).
- In multiple context mode, all configuration is done from the system execution space.
- A dedicated physical interface for the Cluster Control Link (CCL).
- Upstream and downstream switches must support multi-chassis EtherChannel (e.g., Cisco vPC, VSS, or StackWise).
cluster interface-mode spannedmust be set before any interface configuration.
Configuration Steps (CLI)
ASA1 (Control Unit)
1. Set Cluster Interface Mode
This defines how data interfaces operate across the cluster. If the ASA already has interface configuration, this command triggers a reboot to factory-default. On a factory-default device, it applies immediately without a reboot:
ASA1(config)# cluster interface-mode spanned2. Configure Member Interfaces for Port-Channel 1 (Outside)
ASA1(config)# interface Ethernet0
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shutdown
ASA1(config)# interface Ethernet1
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shutdown3. Configure Member Interfaces for Port-Channel 2 (Inside)
ASA1(config)# interface Ethernet2
ASA1(config-if)# channel-group 2 mode active
ASA1(config-if)# no shutdown
ASA1(config)# interface Ethernet3
ASA1(config-if)# channel-group 2 mode active
ASA1(config-if)# no shutdown4. Configure the Cluster Control Link (CCL) Physical Interface
ASA1(config)# interface Ethernet7
ASA1(config-if)# no shutdownThe CCL interface does not get a nameif or security-level — it is dedicated to cluster communication only.
5. Configure Spanned Data Port-Channels
ASA1(config)# interface Port-channel1
ASA1(config-if)# port-channel span-cluster
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 192.168.50.200 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface Port-channel2
ASA1(config-if)# port-channel span-cluster
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.60.200 255.255.255.0
ASA1(config-if)# no shutdownThe port-channel span-cluster command makes the EtherChannel span across all cluster members. The IP address configured here is shared across the cluster — it always belongs to the control unit.
6. Configure Cluster Bootstrap and Enable
ASA1(config)# cluster group ASA-Clusters
ASA1(cfg-cluster)# local-unit ASA1-Unit
ASA1(cfg-cluster)# cluster-interface Ethernet7 ip 10.10.10.1 255.255.255.252
ASA1(cfg-cluster)# console-replicate
ASA1(cfg-cluster)# priority 1
ASA1(cfg-cluster)# enablelocal-unit— unique name identifying this membercluster-interface— assigns the CCL interface and its unique IP per memberconsole-replicate— mirrors console messages from data units to the control unit for centralized monitoringpriority 1— lower value means higher priority for control unit election
ASA2 (Data Unit)
ASA2 needs the same interface and port-channel membership configuration, but does not need nameif or IP addresses on the data port-channels — these sync from the control unit automatically.
1. Set Cluster Interface Mode
ASA2(config)# cluster interface-mode spannedThis triggers a reboot on ASA2 as well.
2. Configure Member Interfaces for Port-Channel 1 (Outside)
ASA2(config)# interface Ethernet0
ASA2(config-if)# channel-group 1 mode active
ASA2(config-if)# no shutdown
ASA2(config)# interface Ethernet1
ASA2(config-if)# channel-group 1 mode active
ASA2(config-if)# no shutdown3. Configure Member Interfaces for Port-Channel 2 (Inside)
ASA2(config)# interface Ethernet2
ASA2(config-if)# channel-group 2 mode active
ASA2(config-if)# no shutdown
ASA2(config)# interface Ethernet3
ASA2(config-if)# channel-group 2 mode active
ASA2(config-if)# no shutdown4. Configure the CCL Physical Interface
ASA2(config)# interface Ethernet7
ASA2(config-if)# no shutdown5. Configure Spanned Port-Channels (No Nameif/IP Needed)
ASA2(config)# interface Port-channel1
ASA2(config-if)# port-channel span-cluster
ASA2(config)# interface Port-channel2
ASA2(config-if)# port-channel span-clusterNo nameif, security-level, or IP address is needed — ASA2 will sync the full configuration from the control unit once it joins the cluster.
6. Configure Cluster Bootstrap and Enable
ASA2(config)# cluster group ASA-Clusters
ASA2(cfg-cluster)# local-unit ASA2-Unit
ASA2(cfg-cluster)# cluster-interface Ethernet7 ip 10.10.10.2 255.255.255.252
ASA2(cfg-cluster)# console-replicate
ASA2(cfg-cluster)# priority 10
ASA2(cfg-cluster)# enableOnce enabled, ASA2 contacts the control unit over the CCL, syncs the full configuration, and joins as a data unit.
Verify Cluster Status
ASA1# show cluster info
ASA1# show cluster interface-mode
ASA1# show port-channel summary
ASA1# show cluster resource usageExpected output should show:
- ASA1 as control unit (priority 1)
- ASA2 as data unit (priority 10)
- Both members in “MASTER” and “SLAVE” state respectively
- Spanned port-channels with members from both units
Configuration Steps (ASDM)
Screenshots and ASDM walkthrough coming soon.